diff --git a/hosts/web-arm/modules/atticd.nix b/hosts/web-arm/modules/atticd.nix index c33c146..227f49c 100644 --- a/hosts/web-arm/modules/atticd.nix +++ b/hosts/web-arm/modules/atticd.nix @@ -27,29 +27,25 @@ in { # API endpoint configuration api-endpoint = "https://${atticHost}/"; - # Allow automatic registration (set to false for production if you want to control access) - allow-registration = false; - # Require tokens for all operations require-proof-of-possession = true; + # Chunking settings for large uploads chunking = { - # Minimum chunk size: 16 MiB - min-size = 16 * 1024 * 1024; - # Average chunk size: 64 MiB - avg-size = 64 * 1024 * 1024; - # Maximum chunk size: 256 MiB - max-size = 256 * 1024 * 1024; + nar-size-threshold = 65536; + min-size = 16384; + avg-size = 65536; + max-size = 262144; }; # Garbage collection garbage-collection = { # GC interval in seconds (12 hours) - interval = 12 * 60 * 60; + interval = "12 hours"; # Delete unreferenced chunks after 7 days - default-retention-period = 7 * 24 * 60 * 60; + default-retention-period = "6 months"; }; # Storage configuration @@ -57,7 +53,7 @@ in { # Use local filesystem storage type = "local"; # Store in /var/lib/atticd - path = "/var/lib/atticd/storage"; + path = "/var/lib/atticd-storage"; }; # Optional: S3-compatible storage (commented out) @@ -70,7 +66,8 @@ in { # Database configuration database = { - url = "postgresql://atticd@/atticd?host=/run/postgresql"; + # url = "postgresql://atticd@/atticd?host=/run/postgresql"; + url = "postgresql:///atticd?host=/run/postgresql&user=atticd"; }; # Compression @@ -82,33 +79,34 @@ in { }; }; + # Create state directory with proper permissions - systemd.services.atticd = { - serviceConfig = { - StateDirectory = "atticd"; - StateDirectoryMode = "0750"; - # Security hardening - PrivateTmp = true; - ProtectSystem = "strict"; - ProtectHome = true; - NoNewPrivileges = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - LockPersonality = true; - ProtectProc = "invisible"; - ProtectClock = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectHostname = true; - SystemCallFilter = "@system-service"; - SystemCallErrorNumber = "EPERM"; - # Resource limits - LimitNOFILE = 65536; - }; - }; + # systemd.services.atticd = { + # serviceConfig = { + # StateDirectory = "atticd"; + # StateDirectoryMode = "0750"; + # # Security hardening + # PrivateTmp = true; + # ProtectSystem = "strict"; + # ProtectHome = true; + # NoNewPrivileges = true; + # RestrictNamespaces = true; + # RestrictRealtime = true; + # RestrictSUIDSGID = true; + # LockPersonality = true; + # ProtectProc = "invisible"; + # ProtectClock = true; + # ProtectKernelLogs = true; + # ProtectControlGroups = true; + # ProtectKernelModules = true; + # ProtectKernelTunables = true; + # ProtectHostname = true; + # SystemCallFilter = "@system-service"; + # SystemCallErrorNumber = "EPERM"; + # # Resource limits + # LimitNOFILE = 65536; + # }; + # }; # Nginx reverse proxy configuration services.nginx.virtualHosts."${atticHost}" = { @@ -193,11 +191,18 @@ in { services.postgresql.ensureDatabases = [ "atticd" ]; services.postgresqlBackup.databases = [ "atticd" ]; + + services.borgbackup.jobs.default.exclude = [ - "/var/lib/atticd" + "/var/lib/atticd-storage" ]; - fileSystems."/var/lib/atticd/storage" = { + systemd.tmpfiles.rules = [ + "d /var/lib/atticd-storage 0755 atticd atticd -" + ]; + + environment.systemPackages = [ pkgs.cifs-utils ]; + fileSystems."/var/lib/atticd-storage" = { device = "//u149513.your-backup.de/u149513-sub9/"; fsType = "cifs"; options = let diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml index 5ad9fc9..903206d 100644 --- a/hosts/web-arm/secrets.yaml +++ b/hosts/web-arm/secrets.yaml @@ -21,7 +21,7 @@ victoria-nginx-password: ENC[AES256_GCM,data:+rKDzML5eQX47JF1i/ZU9jwdeLgRXPyzwSC nextcloud-adminpass: ENC[AES256_GCM,data:/vt17v+aaucz8sq/uYUA0hlj1urKNYcmCN0LbgGAMhWoTiTwzYr5FzrygOuZWZBeaAFH1pWItTZRXj74OX8XqutLPlYDg/jZqLszU0/9HgSBoHb5ZnPUpzIjNI9dpMttPphpo5TVrYKoh/vR3OWjJa3ObcpGLdvMQc1r8ABEvvg=,iv:0xW7++80CwZy0O4J3bFElqp0ZMC+RpO5kcczshM1pzg=,tag:PJj5PHfkoHE8jRbS4mpq6Q==,type:str] nextcloud-secrets: ENC[AES256_GCM,data:FwP+z4B03m0VEFEb8c/UwBKMcWXo+2dnlBAuO4SCVXNBLdq3IK+e8gGzKima+sac+WZ3k3ncPAqyIomBLwEmIUB/24xYx4SL6AddwDoyytZbVDv5Zt7Vpvy6aheOvARoqez3pWMaC+rW11JFVw==,iv:BT9eGRUhHMbwkhuQ+cC32zHICRbm2hQQeVfIHrCB+JM=,tag:GNpdz1QYEcfVvmkjFJY1vg==,type:str] nextcloud-smb-credentials: ENC[AES256_GCM,data:Ra1iVCP/Y1G87oDrn01JxorTQy6d80POKIVEbHPttrd6x5QgEvvyWIz6rCiK4mEH,iv:6wXHBSwq9P+tHrkB82ZReFXsUOF0rDi2hpZ8jXLU7OE=,tag:Fu4RB0hPyHFpN6YLTtfGDQ==,type:str] -atticd: ENC[AES256_GCM,data:a7ueVdAc5OH43JQI+hhVGbBBaeKo2SIqB6TlNAGLg1qIP/z7FfZbxrxvGhrtqhuMfkcJurhnQAGmj2e16eqH9uC3GSM4Hltc64IsZQE=,iv:tl08AndTPAoZjYO5dZgwjNrb8gTpMUJtygCqVNNWZTE=,tag:f9yFk+q5Naowvj6nIT7Wag==,type:str] +atticd: ENC[AES256_GCM,data:L3tAhh+aQUDhl0p0prvvC0BoH995nh25uSMJdmkiwUvUQuT/8qIOzblDTitllqpW3/MyKsPfY6j+v388Vo6njrwGUpX7O5MO1TXruSPg+sqrmTGX6jlBL+ymtB9RWDxMsxv+maXz0lDDg8OA9hXWlEx0gJ4ktSTDzhaubqVj4GqoxXpbjFU3nTKeylzqYHTRj/nypi1KoiY7tDa+E1qfL75qyEm2nvGTLDrbvVEyEpGLXZ4gzqe0OH8IkpQ4/SIBqU3LOK+uvkQuV1z6pD+uGgBCxvXHxKz2W/pGic7+XOKwdjip9tIKEce44tcTAJdYYN16Otij0dlWbvBF6uZQIH756dFEFhlGZwKJuvQo6T7ELozgWdsrItsSSGgJCzIRz6beiAB6QZR9ZAgmogxV7EfGisbIFTrAEnfhwFoOKDIQBfEEGs8C1jjZJCW1pg/gt5Scl1xssY2bag1n+8VANHK4zOeX0o2JEtYtNVjoNUITarzox5w4GnzdCT3S8ZEk/dSxWpsqljcYt2WO04BQX4/9lNlmaaZUSqYPtzaEeXnCInZL7GW9csfe1t6IvXnbPptjTOC+4ZSgsyaXaL0d59CQb0s024qW/VLZqKNlkVOLXoXoGkOpsPkUW3nVJ6ptBXCBekwFznvIESrkvQAIjSe3FRdo8eaVsEW5bXSSyVmAlpskBs0LPKlI7vUw5sXyT/srasHWc1Zqdi/vfyxdFaSoQhw09CDw/4i3WdJYnkPSARHf3letCYoVKnMB6Y9yBlSDEqG3/PkpznDS60hCs30IYuAbBXaEXHyG0OgKJ6Mim01IVc4ubK8L/oxo3st38Ug7txx1fEPPAHTIc/d6B94gTqPJsOZ8cvRmJeeUE34LKtLNFqBY6xqeCulY9onIP3tBmlymY6JKodV4ECEFbq41OcL6jfzPtpzlmRm9zwFpAT6MT7SWCVOdfJ4uP6xNqLweIaHkwolJl1qnVudUJAtih7Sf+REU2xCB3+FFN6LPnkqNIJTndEFEPAY5JdDGWWuoI6IKB6RbPbYh1qp2J5gp7B3jUNg+/Fd8XPkP8QrhW1zXPGNafB5GOJ9NFQPinB9IoBMqWYGITLrkr6I+IxeHSJXGP9s9sKqkbr6JtO7Ia/VRI7dHQJiW1WqDKRKFdB+Vmivs61G1KcIwEywvkFhqvgKiukbINxDckUfrEvKUOLAk16WeDGilqrlB6gBZ77aQpHgEk+XEHnFSHUQGFXIOR8AYz/+Ndzw/SmNPloXIRbVGHT2JZIZ6OsbF3I8AwAicEOtL3iy7ye2yJP+3O/cnYcWdp4B+oH4fBGl4W7UMN0AwMFqEFHS6blMXgJZuHyf1ldY2rOkGNXdmaX0Kgy/pwUldSRvxGGSEYdeMyosgd52GeVcuGBcvbzORpuVfQLbQFsBbxsdX3Q/QINhrmnJvnHkwVekEUf5uRRIZ36eZpfy75aVhooV5CrQj/9P9ttg21rH9brzEmC2j84b/qRwV7RIcUmRPpBlaNIoxsiUxoiW/J/Xd5Eh1hz3aVCA+HzYeGeMEhwKSm+XWNfYbZKKIY4jBQ0QfxBZwqBxiFdQGoMakoWhge51zak4rybI88c+I+kq5Sj0MPz3kX5QPXmNqVYBYFOSO54780mxu1oUt2h0+iPgTL/4LqV6bXgsFV7nQDFJLy006AeLXTcDIR4dDmfWSr4G09dPoCaMdhuWejzvWO6do6x5tfFg9RVPO7/ywq83NZwBVHqgDOXyR6ugDxDld374kwC0AMmIlgVC5VxNvgZLGN5yVqWqCR9TzFN/Rco8T0Hopo7H2yJtShQD/eKvF4ZW78p1WM83ega+yXAoEKgFUncQQaROpfqBTPbxuvgPups7METDetN2Cpy0J0bktDhC5fMtAoROmX5KPFLpyiEzpyet8PbiCAZMgd6UAWWEFZzoVIXVH4eLUupLXoEXK7a8sRRq9QcIsLtKxaiHpVdUozPM53KmX+Tyt+wUgLl979wu8K0GJVQB4L+tESpneqAR4uH2yFSBzxiHKLn60/l1lg6Qyd0incdcsR8ue2n6ktgk3V8LsKMbt/Sksz506Ce/rued2fgwLAvxcfW6yLm6Gz3MmWXqQd1ZsN568j+BPSaOslt1Wv9kqPgDJ1rJX2TeI/vWy0Y7w8ze4X9pHLwLHEehBVGnl7LxRRT0MGMHpE/nF663hFhKQnEWvKgCo/FgWwmA9NI/m+MrbbPGKrbMAk/4OrploKfISmxhAxksE9JB279VNl+4qBT5THFDE+c0ffS7hfGgxb7WM6ag7MbMIx0fNGhZ87z0Lejb3khV9rOtNTpxAEphcw7miNviIBMDdV7ocYz7ZW03VD/x/5yU67ighb+/xMPSow/ZR3pvb5Gl3py4Z0PmCdXa4M5kHdO3sahbsximkB2SI3dcs8G+Vu9wJVNAuiNaARsX0sgfUsDpDbzQRXAWRg82205p5o55dSk/Yh8vQOmDtjBRNCvzQ3CKvczyYSuvQE3VNpw183+hmUTqyFvecN0/fyesodUHtXzbvMnRbezMZRFZFfZYH76Qzlr8hKyw0N4UV9yef4/z/kvj8gHDeZdAW5+XEbT5v/nZrs2iGCNUkvNmsIlqVwqlnUvHE31OHnPEgHn6V8WI3SL9m9WFto6EI99qiactU4FvRo0KLKIJ+G3+VFx3JMqSbCsqneq1ZKfJ4VCYLi6Rx/0GiFwlVAr8tqBfcZi40KUQogMBlarkWZtRvIxPLqrlxzYStR9QpR6DYkh4R3ZJIBvGSIZLwZPVjXrPHIrpq2+dRU7d5DuzfVYIdlFSrdUp2mB8uQrk4pCP4rKAMlPwXdbNht0q2EN66qguSroOy+e7UNPgJACTcNKNoelO928eCnZJ+K4FQwgTbegMw3PbhXH+G75XuvD2tt+85a5XQfhlDYKzOM6BoTSv9xBHCvwfbNWhOE1GDPKHei96n4al4GiaTIYKPw9Z2lrYYtlnoWOcswFMyj0p0QiBQzbomWeKyc0piRBv6MJQx1SvCJXPr5qs5ie7kd5ivzlkdZn9KgMtjIASGWmEYL9NH4YMWQxho1uxFOBy2dkvL7vXEI4I+IY0dT74xkAAEf/vPL94LU6QRL0ipIKPbOhOHZIeVYptdK3JvBNYjvzp7cb/v1G5Kb6qo6+pLnSsRTYXZWKkovHjO4H1/NlqSPFJq/Ex+8fpH3Cd6BhyCA96waslsmx8MJguzmONr0LU7UsPPK+/l6P0uOFQA71cVkaOzyN3p1eGGgx74YOLjQpfwdu4u1idEqUGPaFUuAUxSlhayZuL3tQnRaeQr55duY2w1fxPC7+ExqQiNJq0Y5hPkntS8oWxuUj2ceKysrlI7qdCGr2o48XAw1Uvm94GUA67z5hvqxV0fXqcWyR41/IdWnASLmdq3jL2Ta4dSzprnfW9KZt/F77ZKHFEPDjKXTCUmIlUGq5tzhStyXqQz8WlE3HXl9eL8MUgeiR0BzVfxE+d8KxiRMrvlhBFp+hIKF0ypiw2SKDNk5cAwyQdUxye3e0XdMbF0/0Ng5trfSCjqO4abpu1wQcyP+fptbWBDDBP8JTKJ07gtevA0YpmPRK4iiQ0/VxUPmqok5/wTkexfr1zvAcm6B5UAHtN6Yyi1AUEeyELFZVtPZDkvSFg/3/uZobbemdL+vwUQmmbLAwG9wED0Bp8Ck6Pp39a1XrQbumY8kLEcphGP3NQEvUrPxBU4e9UqRWj+JJ+v1m23NNPYUub+y2UDtNrYgvslTKzRJNtq9UI1ZG8VPupUxCXPClMH0+Bln+WjvpHdX/ZEoaSkwtWW/i7VMbRR7FrcLYz5dfV9AgWi1hWaQs4jh++wc3DdRc9ZswRFtD6d8DSR8Fasc9UPLjJeQaVZLGrV/AQHwREeoJdhptHQsv4ezJr+m1AIKgDTHJ8RJcFmMbCcdo4qBDbRAw6+lKnu77OI4CQJ8fjgaXdfQr1S7TI5HVkf4z+YBdjQt1pZdP4NrrOrWzFJmTe3oXZF9CA5MoOFc9mDO9eloKNmxNaB4QGPjTmd8aLa3Gs2Temf/Iahw/FXbpYu7hHJ18TIRj+I0cPFTusjOJvW5yHQAtBwI+keojllx0Mp+r60FdfMpdC2th/20bfAwqFwqRZ0XBljGPZrHcXpvBJHjitG+p79H/kz30DEltRaPFWSC2MRQFug5LSuHNNxwKiMbsyvS1rmZJG7WVBP4yKUx+IE2yDmJ0IbRIYLhoew4pqmHVBAosfTKQPcjkaes6w3ynx9ywmE+IRlsFLp9VFXSmmVEKqEljocj9wo6thUmDiPyAGqsGqaGN1+zRM7My0md7HjuorSI+bN6l+yeWGvPcp1YTV4pXspwEMWFj20tBCx4ZhacdwX5G6D28F3G9fYrW99NOM3rYG/UW1Q2TIgY1JZvXxx/ziqK0Cf67p+ksIsK89ni06UhUYO8Ez4pheY74tk1ifEeGLDqASK5Ic4yRahTrdRukQakwg1DjAi0321GxlIkPcMwhjB7m5oY3rZODQyuvH20cipkicIaproiL4bzPsDQvbuX4RK9lgI96E81ZZGVlz5IH1FCNwl+8dl9YfVpSRGamrIiwRmqNuFC3DMpjACltj9G0dlIpKGrhH2BnZd+eDCSpEeNaGYgKPrGwJ/Mb6ZVOqLajHyFM5zWG0qOifB8JHFMYjxgEBYVNNGoXag7/2yhI21+xkPT2YB6SKCwH+6an57UGuOcTZUwVem8CatZ8TrcHcp5IR3CzbH/a0rPCLl+G/JEP9NfGft2gLee1UGKEPdswaOB4mvn5TxAaDivI+XuO3+2NaWxajL1DRU1zF01IbZ5OEl3ImqaBOeKxptiicPToLN1RAAQWBhOhsP/vhCZ5nIF5EfShsW9B1OXuSc7Gvay0uWvBFmd/GLTyIwpIpIngnMpiGGkPDMWZShHcxAkwe/0oiMmcLZf9oOqAmJlZvauxYWYtobWuzWrd1HI0MDO4jSbGBnQQbKUjnIPn2IamlaCcKmZNU/aqROuvyYBfoUgl4furQZ0FpZ4G4UWG73M8TKLQhf+TmKvp5TztNqdLvv5K9Ka0RC3a3CFLpbPMwZbNNx3FIeNHGkl6CwUuYtQQEIxtJobLT2h9hUAjAyKwkS+qOuzXy4aUv5+CsGgE0d153c13Dct0JZsquK0W/vxpjKQuoZyBP3F60a9u/HI1G+ZoyZuzHVWtgm4W94OBe8QLBEsx2sKW+ImNormvwWygNIkB0v4JEBq4pIQNvPO+Z69UBSavrNEkQ/V54if3Oe0RNY5mShuOpGAkZVBm5DIwtOhnREu6kTwt+7TXQz4GcqNEIb3FQYBfHfK+zBadHVOy0fbRMmCugSkCJvrAF82dB0XRy7MVJJH6cKO1IL/8V8g130ZhYaUxy1OIy3neEwfeBYUkMpvBIyR4cPKQTx1rzOP3cpahwUjDW/WDMdulaSRoYfu/rMJ+UygHdQbBnK7ZrUxBOPI9ic43Q1l6Z81hnLgrwZxp12vGFbOShPbElP6D5nW4uT+eBfBqCAAUSB22Y1qZV3T5hy1R2WcoJch+E7fkahRqHvJD3hmie1mQqrurnP53AKGqIRTg1cbXLASEJgYoC31yx993A4PRj0s8SquzoUSg4gbarXSFKdoUOrSyp4GKNH4RdJvCuopDeqo+twWzoj7exOVwBkv4dOI59EtBy63cuc94Dc5ME/ZJR4Yf316UTtGAaPtXd5KyaWQX9lVWvk1nj4ieqbL/nmZoKQj4L6kw6O9qLTVP3tBvfEfW5reh5iZ42hEpRaZdDAVRq8gLNoCIJke223iaVViB4nlX5DzBdzjGTYtubR9g1RoWXNs4Y829XQkMD9NBamZgpYUarHAgA/KGFaGbdNGqsOG7q9gAFgsAA9A6VYiftaqpTJCjDEgHxrZvYJlQ/J0ps4wJI4MKHt4w==,iv:0p5WHQ3GelBseeTSR0vpwoUSK5MFlWe1jCZ26hd2Zek=,tag:p3GuWRhCNjYPhgJW+DXAWg==,type:str] atticd-smb-credentials: ENC[AES256_GCM,data:QbCHw+Y//9r60zlP3yceWnYME+rNom4NWnuxwV+d5zzPtzkd377hmqMFPHcbUuJti2KQ3ww6RtFbv02SbNBqahrVwBNSmowr0D7suw==,iv:5xIAW3O0EDuKGtbQSSphLJuWjqbpRnD7B2rypC6Qu3w=,tag:op+NMyWSp2bmrGNkQ/glkw==,type:str] pushover-api-token: ENC[AES256_GCM,data:itcWlyaJi+saBmhLabOOgbOej9yxQgCIiwU9uuOg,iv:dnD12MPZsENogsnCMGpZe1F0cC4eFfefSx7sP9Fl9Mw=,tag:lk1+pkvNab6yG0Sv/+TVIQ==,type:str] pushover-user-key: ENC[AES256_GCM,data:swXKXMAeCyYbBQNAEEpDTJXjdNmFFVWnhExAqfnn,iv:AZd6phibpwEX97U/SzeiRoFFL3TviSONwOWkPsXdcKc=,tag:+mzfrxHpTWOzb3bEzN3D5Q==,type:str] @@ -67,7 +67,7 @@ sops: QVNnMUNpcjg5YnhvbjIxUVVXNE44d1UK+X4arcItFuQPzFHX/1L8+KiU+MHmqBdK nqJ+vibancZRxkBEE4fKbbOWS3kdcU+uWhk1nXkVlaz8Bq6qtctSqw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-14T17:59:28Z" - mac: ENC[AES256_GCM,data:5dAFYstFhWXVjY7zjA42G4dH4R7fDzp+5oZrWZ6RXD9GmXhrZiHQE+KBDf2LsBQk1YiF+voNHBTBFT8TZ5FXWxxjsh/XIehWJTDL6XCsRxRuOhUovePxU6ZZj4VrGPTVELXo1zORdPu08VBcrStb2FX8fA5csAXkt6p0yYWctfc=,iv:uo+YpMTognBequ3yFkYM0v2J8Ysf356FtuCi+6GPlPo=,tag:qhJy1I5Dk+Hr8x4KT17coA==,type:str] + lastmodified: "2025-10-14T19:34:03Z" + mac: ENC[AES256_GCM,data:PTPwZoW6KTL6CHodLVi4stn37JLg2jIBtsGE7CsW0VkVroNo/5wVvFj2xl0Zzcj3u5y3xwFMt4qo6orqyor0sTHKZA6KiwcqHlwvlJAqY1VQD//L/+NggBvLOyhwrmi3Wokokfdn0ysPrDaS6lHyvAGixWZWhIiNr0X03KKvQTY=,iv:xZkh0ZfsC1spN36+1xoFbZwuIYWZmVONPzCTDATi7VM=,tag:fSUMNytbRaJC1UZzCXsFAQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0